package io.gravitee.am.gateway.handler.common.auth.user.impl;

import com.google.common.base.Strings;
import io.gravitee.am.common.exception.authentication.AccountDisabledException;
import io.gravitee.am.common.exception.authentication.AccountEnforcePasswordException;
import io.gravitee.am.common.exception.authentication.AccountLockedException;
import io.gravitee.am.common.policy.ExtensionPoint;
import io.gravitee.am.gateway.handler.common.auth.idp.IdentityProviderManager;
import io.gravitee.am.gateway.handler.common.auth.user.EndUserAuthentication;
import io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService;
import io.gravitee.am.gateway.handler.common.email.EmailService;
import io.gravitee.am.gateway.handler.common.policy.RulesEngine;
import io.gravitee.am.gateway.handler.common.user.UserService;
import io.gravitee.am.identityprovider.api.DefaultUser;
import io.gravitee.am.identityprovider.api.SimpleAuthenticationContext;
import io.gravitee.am.model.Domain;
import io.gravitee.am.model.ReferenceType;
import io.gravitee.am.model.Template;
import io.gravitee.am.model.User;
import io.gravitee.am.model.UserIdentity;
import io.gravitee.am.model.account.AccountSettings;
import io.gravitee.am.model.login.LoginSettings;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.repository.management.api.CommonUserRepository;
import io.gravitee.am.repository.management.api.search.LoginAttemptCriteria;
import io.gravitee.am.service.AuditService;
import io.gravitee.am.service.exception.UserNotFoundException;
import io.gravitee.am.service.reporter.builder.AuditBuilder;
import io.gravitee.am.service.reporter.builder.management.UserAuditBuilder;
import io.gravitee.am.service.utils.UserProfileUtils;
import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/auth/user/impl/UserAuthenticationServiceImpl.class */
public class UserAuthenticationServiceImpl implements UserAuthenticationService {
    private static final Logger LOGGER = LoggerFactory.getLogger(UserAuthenticationServiceImpl.class);
    private static final String SOURCE_FIELD = "source";

    @Autowired
    private Domain domain;

    @Autowired
    private UserService userService;

    @Autowired
    private IdentityProviderManager identityProviderManager;

    @Autowired
    private AuditService auditService;

    @Autowired
    private EmailService emailService;

    @Autowired
    private RulesEngine rulesEngine;

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService
    public Single<User> connect(io.gravitee.am.identityprovider.api.User user, Client client, Request request, boolean z) {
        User create0 = create0(user, z);
        return this.rulesEngine.fire(ExtensionPoint.PRE_CONNECT, request, client, create0).flatMap(executionContext -> {
            return saveOrUpdate(create0, executionContext, z).flatMap(user2 -> {
                return checkAccountStatus(user2).andThen(Single.defer(() -> {
                    return this.userService.enhance(user2);
                }));
            });
        }).flatMap(user2 -> {
            return this.rulesEngine.fire(ExtensionPoint.POST_CONNECT, request, client, user2).map(executionContext2 -> {
                return user2;
            });
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService
    public Single<User> connectWithPasswordless(String str, Client client) {
        return this.userService.findById(str).switchIfEmpty(Single.error(() -> {
            return new UserNotFoundException(str);
        })).flatMap(user -> {
            return isIndefinitelyLocked(user) ? Single.error(new AccountLockedException("Account is locked for user " + user.getUsername())) : !user.isEnabled().booleanValue() ? Single.error(new AccountDisabledException("Account is disabled for user " + user.getUsername())) : Single.just(user);
        }).flatMap(user2 -> {
            LoginSettings loginSettings = LoginSettings.getInstance(this.domain, client);
            Date lastLoginWithCredentials = user2.getLastLoginWithCredentials();
            if (lastLoginWithCredentials == null) {
                return Single.just(user2);
            }
            if (loginSettings == null || !loginSettings.isEnforcePasswordPolicyEnabled()) {
                return Single.just(user2);
            }
            return lastLoginWithCredentials.toInstant().plusSeconds((long) loginSettings.getPasswordlessEnforcePasswordMaxAge().intValue()).isBefore(Instant.now()) ? Single.error(new AccountEnforcePasswordException("User credentials are required")) : Single.just(user2);
        }).flatMap(user3 -> {
            user3.setLoggedAt(new Date());
            user3.setLoginsCount(Long.valueOf(user3.getLoginsCount().longValue() + 1));
            if (user3.getLastLoginWithCredentials() == null) {
                user3.setLastLoginWithCredentials(user3.getLoggedAt());
            }
            return this.userService.update(user3).flatMap(user3 -> {
                return this.userService.enhance(user3);
            });
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService
    public Maybe<User> loadPreAuthenticatedUser(String str, Request request) {
        return this.userService.findById(str).switchIfEmpty(Maybe.error(() -> {
            return new UserNotFoundException(str);
        })).flatMap(user -> {
            return isIndefinitelyLocked(user) ? Maybe.error(new AccountLockedException("User " + user.getUsername() + " is locked")) : Maybe.just(user);
        }).flatMap(user2 -> {
            return this.identityProviderManager.get(user2.getLastIdentityUsed()).flatMap(authenticationProvider -> {
                return authenticationProvider.loadPreAuthenticatedUser(new EndUserAuthentication(user2, null, new SimpleAuthenticationContext(request)));
            }).flatMap(user2 -> {
                HashMap hashMap = user2.getAdditionalInformation() == null ? new HashMap() : new HashMap(user2.getAdditionalInformation());
                hashMap.put(SOURCE_FIELD, user2.getSource());
                hashMap.put("client_id", user2.getClient());
                ((DefaultUser) user2).setAdditionalInformation(hashMap);
                Single<User> update = update(user2, create0(user2, false), false);
                UserService userService = this.userService;
                Objects.requireNonNull(userService);
                return update.flatMap(userService::enhance).toMaybe();
            }).switchIfEmpty(Maybe.defer(() -> {
                return this.userService.enhance(user2).toMaybe();
            }));
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService
    public Maybe<User> loadPreAuthenticatedUser(io.gravitee.am.identityprovider.api.User user) {
        String str = (String) user.getAdditionalInformation().get(SOURCE_FIELD);
        return this.userService.findByDomainAndExternalIdAndSource(this.domain.getId(), user.getId(), str).switchIfEmpty(Maybe.defer(() -> {
            return this.userService.findByDomainAndUsernameAndSource(this.domain.getId(), user.getUsername(), str);
        })).flatMap(user2 -> {
            return isIndefinitelyLocked(user2) ? Maybe.error(new AccountLockedException("User " + user2.getUsername() + " is locked")) : Maybe.just(user2);
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.auth.user.UserAuthenticationService
    public Completable lockAccount(LoginAttemptCriteria loginAttemptCriteria, AccountSettings accountSettings, Client client, User user) {
        if (user == null) {
            return Completable.complete();
        }
        user.setAccountNonLocked(false);
        user.setAccountLockedAt(new Date());
        user.setAccountLockedUntil(new Date(System.currentTimeMillis() + (accountSettings.getAccountBlockedDuration().intValue() * 1000)));
        return this.userService.update(user).flatMap(user2 -> {
            if (user2.getEmail() != null && accountSettings.isSendRecoverAccountEmail()) {
                new Thread(() -> {
                    this.emailService.send(Template.BLOCKED_ACCOUNT, user2, client);
                }).start();
            }
            return Single.just(user);
        }).doOnSuccess(user3 -> {
            this.auditService.report(((UserAuditBuilder) ((UserAuditBuilder) ((UserAuditBuilder) ((UserAuditBuilder) ((UserAuditBuilder) AuditBuilder.builder(UserAuditBuilder.class)).type("USER_LOCKED")).domain(loginAttemptCriteria.domain())).client(loginAttemptCriteria.client())).principal((io.gravitee.am.identityprovider.api.User) null)).user(user3));
        }).ignoreElement();
    }

    private Single<User> saveOrUpdate(User user, ExecutionContext executionContext, boolean z) {
        String source = user.getSource();
        String externalId = user.getExternalId();
        String username = user.getUsername();
        String str = (String) executionContext.getAttribute("linkedAccountId");
        boolean z2 = str != null;
        return (z2 ? this.userService.findById(str) : this.userService.findByDomainAndExternalIdAndSource(this.domain.getId(), externalId, source).switchIfEmpty(Maybe.defer(() -> {
            return this.userService.findByDomainAndUsernameAndSource(this.domain.getId(), username, source);
        }))).switchIfEmpty(Single.error(() -> {
            return new UserNotFoundException(username);
        })).flatMap(user2 -> {
            return isIndefinitelyLocked(user2) ? Single.error(new AccountLockedException("User " + user2.getUsername() + " is locked")) : Single.just(user2);
        }).flatMap(user3 -> {
            return update(user3, user, z, Boolean.valueOf(z2));
        }).onErrorResumeNext(th -> {
            return th instanceof UserNotFoundException ? create(user) : Single.error(th);
        });
    }

    private boolean isIndefinitelyLocked(User user) {
        return !user.isAccountNonLocked().booleanValue() && user.getAccountLockedUntil() == null;
    }

    private Completable checkAccountStatus(User user) {
        return !user.isEnabled().booleanValue() ? Completable.error(new AccountDisabledException("Account is disabled for user " + user.getUsername())) : Completable.complete();
    }

    private Single<User> update(User user, User user2, boolean z) {
        return update(user, user2, z, null);
    }

    private Single<User> update(User user, User user2, boolean z, Boolean bool) {
        LOGGER.debug("Updating user: username[{}]", user2.getUsername());
        CommonUserRepository.UpdateActions none = CommonUserRepository.UpdateActions.none();
        if (z) {
            user.setLastIdentityUsed(user2.getSource());
            user.setLoggedAt(new Date());
            user.setLastLoginWithCredentials(user.getLoggedAt());
            user.setLoginsCount(Long.valueOf(user.getLoginsCount().longValue() + 1));
            user.setAccountNonLocked(true);
        }
        if (user2.getClient() != null) {
            user.setClient(user2.getClient());
        }
        if (isAccountLinked(bool, user, user2)) {
            upsertLinkedIdentities(user, user2);
            none.updateIdentities(true);
        } else {
            user.setExternalId(user2.getExternalId());
            if (!Strings.isNullOrEmpty(user2.getEmail())) {
                user.setEmail(user2.getEmail());
            }
            if (!Strings.isNullOrEmpty(user2.getLastName())) {
                user.setLastName(user2.getLastName());
            }
            if (!Strings.isNullOrEmpty(user2.getFirstName())) {
                user.setFirstName(user2.getFirstName());
            }
            if (user.getFirstName() != null && UserProfileUtils.hasGeneratedDisplayName(user)) {
                user.setDisplayName(UserProfileUtils.buildDisplayName(user));
            }
            none.updateDynamicRole(!Objects.equals(user.getDynamicRoles(), user2.getDynamicRoles()));
            user.setDynamicRoles(user2.getDynamicRoles());
            if (user.getLastPasswordReset() == null) {
                user.setLastPasswordReset(user.getUpdatedAt() == null ? new Date() : user.getUpdatedAt());
            }
            Map<String, Object> map = (Map) Optional.ofNullable(user2.getAdditionalInformation()).orElse(Map.of());
            removeOriginalProviderOidcTokensIfNecessary(user, z, map);
            extractAdditionalInformation(user, map);
        }
        return this.userService.update(user, none);
    }

    private void removeOriginalProviderOidcTokensIfNecessary(User user, boolean z, Map<String, Object> map) {
        if (z) {
            if (!map.containsKey("op_id_token")) {
                user.removeAdditionalInformation("op_id_token");
            }
            if (map.containsKey("op_access_token")) {
                return;
            }
            user.removeAdditionalInformation("op_access_token");
        }
    }

    private Single<User> create(User user) {
        LOGGER.debug("Creating a new user: username[%s]", user.getUsername());
        return this.userService.create(user);
    }

    private User create0(io.gravitee.am.identityprovider.api.User user, boolean z) {
        User user2 = new User();
        user2.setExternalId(user.getId());
        user2.setUsername(user.getUsername());
        user2.setEmail(user.getEmail());
        user2.setFirstName(user.getFirstName());
        user2.setLastName(user.getLastName());
        user2.setReferenceType(ReferenceType.DOMAIN);
        user2.setReferenceId(this.domain.getId());
        user2.setSource((String) user.getAdditionalInformation().get(SOURCE_FIELD));
        if (z) {
            user2.setLastIdentityUsed(user2.getSource());
            user2.setLoggedAt(new Date());
            user2.setLastLoginWithCredentials(user2.getLoggedAt());
            user2.setLoginsCount(1L);
        }
        user2.setDynamicRoles(user.getRoles());
        extractAdditionalInformation(user2, user.getAdditionalInformation());
        return user2;
    }

    private void extractAdditionalInformation(User user, Map<String, Object> map) {
        if (map != null) {
            HashMap hashMap = user.getAdditionalInformation() != null ? new HashMap(user.getAdditionalInformation()) : new HashMap();
            hashMap.putAll(map);
            if (user.getLoggedAt() != null) {
                hashMap.put("auth_time", Long.valueOf(user.getLoggedAt().getTime() / 1000));
            }
            if (user.getUsername() != null) {
                hashMap.put("preferred_username", user.getUsername());
            }
            if (hashMap.get(SOURCE_FIELD) != null) {
                user.setSource((String) hashMap.remove(SOURCE_FIELD));
            }
            if (hashMap.get("client_id") != null) {
                user.setClient((String) hashMap.remove("client_id"));
            }
            user.setAdditionalInformation(hashMap);
        }
    }

    private boolean isAccountLinked(Boolean bool, User user, User user2) {
        if (Boolean.TRUE.equals(bool)) {
            return true;
        }
        return ((List) Optional.ofNullable(user.getIdentities()).orElse(List.of())).stream().anyMatch(userIdentity -> {
            return userIdentity.getUserId().equals(user2.getExternalId());
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v7, types: [java.util.List] */
    private void upsertLinkedIdentities(User user, User user2) {
        ArrayList arrayList = user.getIdentities() != null ? new ArrayList(user.getIdentities()) : null;
        if (arrayList == null || arrayList.isEmpty()) {
            arrayList = Collections.singletonList(userIdentity(user2));
        } else {
            Optional findFirst = arrayList.stream().filter(userIdentity -> {
                return userIdentity.getUserId().equals(user2.getExternalId());
            }).findFirst();
            if (findFirst.isPresent()) {
                UserIdentity userIdentity2 = new UserIdentity((UserIdentity) findFirst.get());
                userIdentity2.setUsername(user2.getUsername());
                userIdentity2.setAdditionalInformation(user2.getAdditionalInformation());
                arrayList.removeIf(userIdentity3 -> {
                    return userIdentity3.getUserId().equals(userIdentity2.getUserId());
                });
                arrayList.add(userIdentity2);
            } else {
                arrayList.add(userIdentity(user2));
            }
        }
        user.setIdentities(arrayList);
    }

    private UserIdentity userIdentity(User user) {
        UserIdentity userIdentity = new UserIdentity();
        userIdentity.setUserId(user.getExternalId());
        userIdentity.setUsername(user.getUsername());
        userIdentity.setProviderId(user.getSource());
        userIdentity.setAdditionalInformation(user.getAdditionalInformation());
        userIdentity.setLinkedAt(new Date());
        return userIdentity;
    }
}
